diff --git a/app/Extensions/WebauthnTwoFAuthUserProvider.php b/app/Extensions/WebauthnTwoFAuthUserProvider.php new file mode 100644 index 00000000..c86741de --- /dev/null +++ b/app/Extensions/WebauthnTwoFAuthUserProvider.php @@ -0,0 +1,28 @@ +isSignedChallenge($credentials)) { + return $this->validateWebAuthn(); + } + + // If the user disabled the fallback is enabled, we will validate the credential password. + return $user->preferences['useWebauthnOnly'] == false && EloquentUserProvider::validateCredentials($user, $credentials); + } +} diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index 7a0513df..c0ecb334 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -88,19 +88,17 @@ class AuthServiceProvider extends ServiceProvider return new ReverseProxyGuard(Auth::createUserProvider($config['provider'])); }); - // Previously we were using a custom user provider derived from the Larapass user provider - // in order to honor the "useWebauthnOnly" user option. - // Since Laragear\WebAuthn now replaces DarkGhostHunter\Larapass, the new approach is - // simplier: We overload the 'eloquent-webauthn' registration from Laragear\WebAuthn\WebAuthnServiceProvider - // with a custom closure that uses the "useWebauthnOnly" user option + // We use a custom user provider derivated from the Laragear\WebAuthn one to honor the "useWebauthnOnly" user option. + // As this option is now available in the $user->preferences array it is no more possible to overload the $fallback + // value here because $user is not available at registration. Auth::provider( 'eloquent-webauthn', static function (\Illuminate\Contracts\Foundation\Application $app, array $config) : \Laragear\WebAuthn\Auth\WebAuthnUserProvider { - return new \Laragear\WebAuthn\Auth\WebAuthnUserProvider( + return new \App\Extensions\WebauthnTwoFAuthUserProvider( $app->make('hash'), $config['model'], $app->make(\Laragear\WebAuthn\Assertion\Validator\AssertionValidator::class), - Settings::get('useWebauthnOnly') ? false : true + true ); } );